CVE-2025-58445
HIGHAtlantis < 0.35.1 - Unauthenticated Sensitive Information Exposure via Status Endpoint
Title source: llmDescription
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service's security posture. This issue does not currently have a fix.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
33.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
runatlantis/atlantis
< 0.35.1
runatlantis/atlantis
0Go
Published
Sep 06, 2025
Tracked Since
Feb 18, 2026